Skip to main content

Preparing the Cybersecurity Risk Management Program

The SOC for Cybersecurity standard, issued by the AICPA, requires the implementation and maintenance of a cybersecurity risk management program. This program gives the user insight into how risks are managed and which IT components are used. The implementation of this program is in principle form-free, but all Description Criteria must be part of the description. In addition, no relevant parts should be excluded that could influence the choices of users.


1. Reporting Sections

The SOC for Cybersecurity report consists of three main parts. Section one is the assertion of the management of the organization. Section 2 includes the assurance report of the independent auditor, which includes a statement on the operation of the cybersecurity program. The actual cybersecurity risk management program is described in Section 3, which contains a detailed description of the program and its processes and policies.


2. Description Criteria

The Description Criteria are intended to be implemented across the organization. However, it is possible to create a cybersecurity risk management program for a specific division or section of the organization. All description criteria must be taken into account when implementing the program. First, the nature of the business and operations and the information at risk are identified. The following outlines the cybersecurity risk management objectives, governance structure and risk assessment process. Communication and information procedures are also included in the program, which is complemented by the monitoring and cybersecurity audit process.


Maintaining the program

The risks to which your company is exposed drive a response from risk management and the associated risk management strategy. Managing cybersecurity risks is no different. Once the Cybersecurity Risk Management program has been established by the organization, the network and IT services must be continuously monitored. This must be ensured both internally and externally by, for example, maintaining and monitoring physical and logical access controls.


To maintain the risk management program, excellent and timely communication is the key. All relevant staff should understand the importance of the program and the role they play within the implemented policies and procedures. Only then will the program actually be successful.